Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Infosec at Ludicrous Speeds - Rugged DevOps


Published on

Published in: Business, Technology
  • Be the first to comment

Infosec at Ludicrous Speeds - Rugged DevOps

  1. 1. Security is Dead.Long Live Rugged DevOps:IT at Ludicrous Speed…Gene KimIT Revolution PressSession ID: @RealGeneKim,
  2. 2. Act I: IT Ops Fixing Fragile Artifacts @RealGeneKim,
  3. 3. @RealGeneKim,
  4. 4. Act 2: The Product Managers @RealGeneKim,
  5. 5. Act 3: The Developers @RealGeneKim,
  6. 6. @RealGeneKim,
  7. 7. @RealGeneKim,
  8. 8. Act 4: IT Ops And Dev At War 8 @RealGeneKim,
  9. 9. Act 5: Nothing Left For Infosec @RealGeneKim,
  10. 10. @RealGeneKim,
  11. 11. The Downward Spiral… 11 @RealGeneKim,
  12. 12. The IT Core Chronic Conflict  Every IT organization is pressured to simultaneously:  Respond more quickly to urgent business needs  Provide stable, secure and predictable IT service Source: The authors acknowledge Dr. Eliyahu Goldratt, creator of the Theory of Constraints and author of The Goal, has written extensively on the theory and practice of identifying and resolving core, chronic conflicts.13 @RealGeneKim,
  13. 13. Every Company Is An IT Company… 95% of all capital projects have an IT component… 50% of all capital spending is technology-related Where we need to be… IT is always in the way (again…)We are here… @RealGeneKim,
  14. 14. There Must Be A BetterWay… 15 @RealGeneKim,
  15. 15. @RealGeneKim, Source: John Allspaw
  16. 16. @RealGeneKim,
  17. 17. Source: John Allspaw @RealGeneKim,
  18. 18. Source: John Allspaw @RealGeneKim,
  19. 19. Source: John Allspaw @RealGeneKim,
  20. 20. @RealGeneKim,
  21. 21. Source: Theo Schlossnagle @RealGeneKim,
  22. 22. Source: Theo Schlossnagle @RealGeneKim,
  23. 23. Source: Theo Schlossnagle @RealGeneKim,
  24. 24. Source: James Wickett @RealGeneKim,
  25. 25. Source: John Jenkins, @RealGeneKim,
  26. 26. The Three WaysAnd Six Prescriptive StepsInfosec Can Take 27 @RealGeneKim,
  27. 27. If I Could Wave A Magic Wand, Everyone Will… Become conversant with DevOps and recognize the practices when you see them Be energized about how information practitioners can contribute in this organizational journey Leave with some concrete steps to get some great outcomes Become a part of a team that starts putting DevOps practices into place 28 @RealGeneKim,
  28. 28. The First Way:Systems Thinking @RealGeneKim,
  29. 29. The First Way:Systems Thinking(Business) (Customer) @RealGeneKim,
  30. 30. The First Way:Systems Thinking (Left To Right) Understand the flow of work Always seek to increase flow Never unconsciously pass defects downstream Never allow local optimization to cause global degradation Achieve profound understanding of the system @RealGeneKim,
  31. 31. “Annual business planning sessions can bemadding. They think IT Operations is an „all youcan eat buffet.‟” -Ben Rockwood, Director Systems Engineering, Joyent @RealGeneKim,
  32. 32. Practice #1: Define The Work and Make ItVisible Business projects (e.g., new order entry system) Internal IT projects (e.g., create new environments, infosec remediation) Changes (e.g., deploys, improve database performance) Unplanned work (e.g., site down, site impaired, security incident) 33 @RealGeneKim,
  33. 33. Day 2: PMO Meeting @RealGeneKim,
  34. 34. Practice #2: Create One Step EnvironmentCreation Process Make environments available early in the Development process Make sure Dev builds the code and environment at the same time Create a common Dev, QA and Production environment creation process @RealGeneKim,
  35. 35. Change the Agile sprint policy:“At the end of each sprint, we must have workingcode and the environment it runs in!” @RealGeneKim,
  36. 36. Infosec Insurgency Find the automated infrastructure project team (e.g., puppet, chef)  Release managers can provide hardening guidance  Integrate and extend their production configuration monitoring  Put ASSERTs to find misconfigurations, enforce https, etc. Define what changes/deploys cannot be made without triggering full retest 37 @RealGeneKim,
  37. 37. The First Way:Outcomes Creating single repository for code and environments Determinism in the release process Consistent Dev, QA, Int, and Staging environments, all properly built before deployment begins Decreased cycle time  Reduce deployment times from 6 hours to 45 minutes  Refactor deployment process that had 1300+ steps spanning 4 weeks Faster release cadence @RealGeneKim,
  38. 38. The Second Way:Amplify Feedback Loops @RealGeneKim,
  39. 39. The Second Way:Amplify Feedback Loops (Right to Left) Understand and respond to the needs of all customers, internal and external Shorten and amplify all feedback loops: stop the line when necessary Create quality at the source Create and embed knowledge where we need it @RealGeneKim,
  40. 40. The Toyota Andon Cord 41 @RealGeneKim,
  41. 41. “We found that when we woke up developers at2am, defects got fixed faster than ever.” Patrick Lightbody CEO, BrowserMob @RealGeneKim,
  42. 42. Pattern #3: Embed Dev Into IT Ops Embed Dev into IT Ops incident escalation process Invite Dev to post-mortems/root cause analysis meeting Have Dev and Infosec cross-train IT Operations Ensure application monitoring/metrics to aid in Ops and Infosec work (e.g., incident/problem management) @RealGeneKim,
  43. 43. The Second Way:Outcomes Defects and security issues getting fixed faster than ever Reusable Ops and Infosec user stories now part of the Agile process All groups communicating and coordinating better Everybody is getting more work done @RealGeneKim,
  44. 44. The Third Way:Culture Of Continual Experimentation AndLearning @RealGeneKim,
  45. 45. The Third Way:Culture Of Continual Experimentation AndLearning Foster a culture that rewards:  Experimentation (taking risks) and learning from failure  Repetition is the prerequisite to mastery Why?  You need a culture that keeps pushing into the danger zone  And have the habits that enable you to survive in the danger zone @RealGeneKim,
  46. 46. Break Things Early And Often “Do painful things more frequently, so you can make it less painful… We don‟t get pushback from Dev, because they know it makes rollouts smoother.” -- Adrian Cockcroft, Architect, Netflix @RealGeneKim,
  47. 47. 48 @RealGeneKim,
  48. 48. Pattern #5: Inject Failures Often @RealGeneKim,
  49. 49. You Don’t Choose Chaos Monkey…Chaos Monkey Chooses You @RealGeneKim,
  50. 50. Pattern #6: Break Things Before Production Enforce consistency in code, environments and configurations across the environments Add your ASSERTs to find misconfigurations, enforce https, etc. Add static code analysis to automated continuous integration and testing process @RealGeneKim,
  51. 51. Pattern #6: Allocate 20% Of Cycles ToTechnical Debt Reduction @RealGeneKim,
  52. 52. Recognize Compounding Technical Debt… @RealGeneKim,
  53. 53. That Gets Worse… @RealGeneKim,
  54. 54. And Fixing It… Source: Pingdom @RealGeneKim,
  55. 55. @RealGeneKim,
  56. 56. An Innovation Culture“By installing a rampant innovation culture, theynow do 165 experiments in the three months of taxseason.Our business result? Conversion rate of thewebsite is up 50 percent. Employee result?Everyone loves it, because now their ideas canmake it to market.”--Scott Cook, Intuit Founder 57 @RealGeneKim,
  57. 57. Why Do I Think This IsImportant? 58 @RealGeneKim,
  58. 58. The Downward Spiral… 59 @RealGeneKim,
  59. 59. @RealGeneKim,
  60. 60. The Three Ways: Some PatternsFirst Way Second Way Third WayDefine The Wake Up Break Things EarlyWork And Make Developers And OftenIt VisibleMake Embed Dev Into IT Reserve 20% OfEnvironments Operations Cycles ForAvailable Early Technical Debt Reduction 62 @RealGeneKim,
  61. 61. 63 @RealGeneKim,
  62. 62. Help The Business Win… @RealGeneKim,
  63. 63. With Support From Your Peers… @RealGeneKim,
  64. 64. And Do More With Less Effort… @RealGeneKim,
  65. 65. 67 @RealGeneKim,
  66. 66. When IT Fails: A Business Novel andThe DevOps Cookbook Coming January 15, 2013 and Q1 2013 “The greatest IT management book of our generation.” Branden Williams, CTO Marketing, RSA “The lessons in When IT Fails might just save your business if IT fails for you. Every IT executive should share this book with their business peers.” James Turnbull, VP Operations, Puppet Labs and author of “Pro Puppet” “This book will have a profound effect on IT, just as The Goal did for manufacturing.‟ Jez Humble, co-author of the Jolt award-winning book Continuous Delivery, and Principal at ThoughtWorks Studios. @RealGeneKim,
  67. 67. Our Mission: Positively Impact The Lives OfOne Million IT Workers By 2017  For these slides, the “Top 10 Things You Need To Know About DevOps,” Rugged DevOps resources, and updates on the book: Sign up at Email  Or text “[email] 74730” to +1 (858) 598-3980  Visit: 0 @RealGeneKim,